Nmap.org describes the Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts in the Lua programming language, to automate a wide variety of networking tasks. Those scripts are executed in parallel, with the speed and efficiency you expect from Nmap. Users can rely on the growing, diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
To my amusement, Nmap features are growing day by day. It was introduced just as a port scanner, and now it has reached a stage where you can even use it for basic vulnerability analysis. The vulnerability (script) database is increasing day by day, version by version. Precisely 177 scripts are available with version 5.50, which is the latest NMap release.
Before script-scanning networks, let’s try to understand a few ready-made scripts that let us detect various vulnerabilities in the network and devices at one go, in a very short time. Please remember, once you find vulnerabilities, you should immediately take corrective action to close them. These corrective measures may be as simple as changing passwords, disabling unused accounts, or as time-consuming and crucial as applying security patches or removing detected worms.
| Table 1: Some useful Nmap scripts | ||
| No. | Script | Function |
| 1. | dhcp-discover |
Discovers DHCP servers on the network; the UDP discover request is sent from port 67, and the response is received on port 68. |
| 2. | ftp-bounce |
Checks whether there are FTP servers that allow an FTP bounce attack to other hosts on the network. (Please refer to earlier articles, where we have discussed FTP bounce attacks.) |
| 3. | http-iis-webdav-vuln |
Checks whether hosts with vulnerabilities listed in Microsoft security bulletin MS09-020 (IIS 5.1/IIS 6.0) are present on the network. |
| 4. | ms-sql-info |
Identifies Microsoft SQL Server details. |
| 5. | mysql-info |
Identifies MySQL Server details. |
| 6. | p2p-conficker |
Checks whether a host is infected by the conficker.c worm. |
| 7. | smb-enum-shares |
A very interesting script, which identifies all SMB shares within the specified address range. |
| 8. | smb-enum-users |
Will identify all SMB user names within the specified address range. |
| 9. | sniffer-detect |
Finds hosts with pcap libraries installed. |
| 10. | sshv1 |
Lists all hosts with SSH version 1. As most of you will be aware, this version has documented vulnerabilities. |
The various command line options for script scanning are as follows:
-sC— basic script scan-
--script-updatedb— will update the script database.
Some of the scripts may ask for the --script-args=unsafe option to be set to 1. Please remember, this is a destructive test; these scripts will almost surely crash a system with the corresponding vulnerability. Be careful you do not use this option in a live production environment.
The actual scans
To start with, create a file IPList.txt, listing all the active hosts on the network, to specify target hosts to Nmap. Next, try to analyse the results of a few scans performed in a live environment. When you wish to try these scans, don’t forget to take written permission from the management.
Checking for SSHv1
| Table 2: sshv1 scan | |
| Command/details | Explanation |
nmap-script sshv1 -iL IPList.txt -osshv1.txt |
The command line, running only one script, sshv1. |
| Masked output of sshv1.txt: | |
| Nmap scan report for 192.168.1.4 Host is up (0.00011s latency). Not shown: 984 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh |_sshv1: Server supports SSHv1 80/tcp open http 111/tcp open rpcbind 113/tcp open auth |
|
Sniffer detection
| Table 3: sniffer-detect scan | |
| Command/details | Explanation |
nmap-script sniffer-detect -iL IPList.txt -osniffer-detect.txt |
Initiating sniffer detection |
| Masked output of sniffer-detect.txt | |
| Nmap scan report for 192.168.1.26 Host is up (0.00012s latency). Not shown: 992 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2967/tcp open symantec-av 5101/tcp open admdog 5225/tcp open unknown 5226/tcp open unknown 8008/tcp open http MAC Address: 00:XX:XX:XX:XX:2D (Intel Corporate) Host script results: |_sniffer-detect: Windows with libpcap installed; may or may not be sniffing (tests: “1_1___1_”) |
|
smb-enum-users
This is a very interesting script. In one go, you can identify all the users present on the entire network, and their status. You may wish to identify which of them have left the organisation, and disable/delete the corresponding account, as per company policy.
| Table 4: smb-enum-users scan | |
| Command/details | Explanation |
nmap-script smb-enum-users -iL IPList.txt -osmb-enum-users.txt |
To scan all hosts listed in IPList.txt for SMB users |
| Masked output of smb-enum-usrs.txt | |
| Nmap scan report for 192.168.1.109 Host is up (0.00015s latency). Not shown: 989 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1000/tcp open cadlock 1145/tcp open unknown 1720/tcp open H.323/Q.931 2401/tcp open cvspserver 2967/tcp open symantec-av 5060/tcp open sip 5061/tcp open sip-tls 5101/tcp open admdog MAC Address: 00:XX:XX:XX:XX:04 (G-pro Computer) Host script results: | smb-enum-users: | TESTCOMPANY\A--------y (RID: 1228) | TESTCOMPANY\accounts_user (RID: 1125) | TESTCOMPANY\Administrator (RID: 500) | TESTCOMPANY\a---------r (RID: 1168) | TESTCOMPANY\a---------g (RID: 1224) | TESTCOMPANY\a---------r (RID: 1122) | TESTCOMPANY\A---------D$ (RID: 1249) | TESTCOMPANY\a---------e (RID: 1199) | TESTCOMPANY\A---------r (RID: 1231) | TESTCOMPANY\a---------e (RID: 1186) | TESTCOMPANY\A---------S$ (RID: 1218) | TESTCOMPANY\A---------S2$ (RID: 1227) | TESTCOMPANY\c---------r (RID: 1120) | TESTCOMPANY\c---------r (RID: 1120) | TESTCOMPANY\cvsserver$ (RID: 1176) | TESTCOMPANY\d---------e (RID: 1174) | TESTCOMPANY\d---------y (RID: 1212) |
|
The power of NMap script scans doesn’t end here. By using various scanning options, you can run combinations of various script categories (SMB scans, HTTP scans, etc) at one go.
